ECM at Work Joppe W. Bos and Thorsten Kleinjung Laboratory for - - PowerPoint PPT Presentation

ECM at Work

Joppe W. Bos and Thorsten Kleinjung

Laboratory for Cryptologic Algorithms EPFL, Station 14, CH-1015 Lausanne, Switzerland

1 / 14

Motivation

The elliptic curve method for integer factorization is used in the cofactorization phase of NFS (≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc) ❯ ❉

2 / 14

Motivation

The elliptic curve method for integer factorization is used in the cofactorization phase of NFS (≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc)

Edwards curves vs Montgomery curves

❯ faster EC-arithmetic ❉ more memory is required

2 / 14

Motivation

The elliptic curve method for integer factorization is used in the cofactorization phase of NFS (≈ 100 − 200-bits) to factor large numbers (Mersenne, Cunningham etc)

Edwards curves vs Montgomery curves

❯ faster EC-arithmetic ❉ more memory is required Difficult to run Edwards-ECM fast on memory-constrained devices This presentation: slightly faster, memory efficient Edwards ECM

2 / 14

Edwards Curves (based on work by Euler & Gauss)

Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined (ad(a − d) = 0) ax2 + y2 = 1 + dx2y2 and (ax2 + y2)z2 = z4 + dx2y2

2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Edwards Curves (based on work by Euler & Gauss)

Edwards curves Twisted Edwards curves Inverted Edwards coordinates Extended twisted Edwards coordinates A twisted Edwards curve is defined (ad(a − d) = 0) ax2 + y2 = 1 + dx2y2 and (ax2 + y2)z2 = z4 + dx2y2 Elliptic Curve Point Addition { a = −1: 8M a = −1, z1 = 1: 7M Elliptic Curve Point Duplication: a = −1: 3M + 4S

2007: H. M. Edwards. A normal form for elliptic curves. Bulletin of the American Mathematical Society 2007: D. J. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2008: H. Hisil, K. K.-H. Wong, G. Carter, and E. Dawson. Twisted Edwards curves revisited. Asiacrypt 3 / 14

Elliptic Curve Method (ECM)

Try and factor n = p · q with 1 < p < q < n. Repeat: Pick a random point P and construct an elliptic E over Z/nZ containing P Compute Q = kP ∈ E(Z/nZ) for some k ∈ Z If #E(Fp) | k (and #E(Z/qZ) ∤ k) then Q and the neutral element become the same modulo p p = gcd(n, Qz) In practice given a bound B1 ∈ Z: k = lcm(1, 2, . . . , B1)

• H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987.

4 / 14

Elliptic Curve Method (ECM)

Try and factor n = p · q with 1 < p < q < n. Repeat: Pick a random point P and construct an elliptic E over Z/nZ containing P Compute Q = kP ∈ E(Z/nZ) for some k ∈ Z If #E(Fp) | k (and #E(Z/qZ) ∤ k) then Q and the neutral element become the same modulo p p = gcd(n, Qz) In practice given a bound B1 ∈ Z: k = lcm(1, 2, . . . , B1) O(exp(( √ 2 + o(1))(

• log p log log p))M(log n))

where M(log n) represents the complexity of multiplication modulo n and the o(1) is for p → ∞.

• H. W. Lenstra Jr. Factoring integers with elliptic curves. Annals of Mathematics, 1987.

4 / 14

EC-multiplication

Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w-bit windows #R 14 4(2w−1) + 4 + 2

• D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology ePrint Archive, Report 2008/016
• D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010

5 / 14

EC-multiplication

Notation: A (EC-additions), D (EC-duplications), R (residues in memory) M (modular multiplications), S (modular squaring) Montgomery Edwards EC-multiplication PRAC e.g. signed sliding method w-bit windows #R 14 4(2w−1) + 4 + 2 Performance #(S + M)/bit ≈ 8-9 B1 → ∞

• #A/bit → 0,

#R → ∞ → (3M + 4S) / bit

• D. J. Bernstein, P. Birkner, T. Lange, and C. Peters. ECM using Edwards curves. Cryptology ePrint Archive, Report 2008/016
• D. J. Bernstein, P. Birkner, and T. Lange. Starfish on strike. Latincrypt, 2010

5 / 14

B1 GMP-ECM #S #M #S+#M 256 1 066 2 025 3 091 512 2 200 4 210 6 400 1 024 4 422 8 494 12 916 12 288 53 356 103 662 157 018 49 152 214 130 417 372 631 502 262 144 1 147 928 2 242 384 3 390 312 1 048 576 4 607 170 9 010 980 13 618 150 EECM-MPFQ (a = −1) 256 1 436 1 608 3 044 512 2 952 3 138 6 090 1 024 5 892 6 116 12 008 12 288 70 780 67 693 138 473 49 152 283 272 260 372 543 644 262 144 1 512 100 1 351 268 2 863 368 1 048 576 6 050 208 5 306 139 11 356 347

6 / 14

B1 GMP-ECM #S #M #S+#M #R 256 1 066 2 025 3 091 14 512 2 200 4 210 6 400 14 1 024 4 422 8 494 12 916 14 12 288 53 356 103 662 157 018 14 49 152 214 130 417 372 631 502 14 262 144 1 147 928 2 242 384 3 390 312 14 1 048 576 4 607 170 9 010 980 13 618 150 14 EECM-MPFQ (a = −1) 256 1 436 1 608 3 044 38 512 2 952 3 138 6 090 62 1 024 5 892 6 116 12 008 134 12 288 70 780 67 693 138 473 1 046 49 152 283 272 260 372 543 644 2 122 262 144 1 512 100 1 351 268 2 863 368 9 286 1 048 576 6 050 208 5 306 139 11 356 347 32 786

6 / 14

Elliptic Curve Constant Scalar Multiplication

In practice people use the same B1 for many numbers: Can we do better for a fixed B1?

7 / 14

Elliptic Curve Constant Scalar Multiplication

In practice people use the same B1 for many numbers: Can we do better for a fixed B1?

• B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992.

Observation: Low Hamming-weight integers → fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by ≈ a factor three

7 / 14

Elliptic Curve Constant Scalar Multiplication

In practice people use the same B1 for many numbers: Can we do better for a fixed B1?

• B. Dixon and A. K. Lenstra. Massively parallel elliptic curve factoring. Eurocrypt 1992.

Observation: Low Hamming-weight integers → fewer EC-additions Idea: Search for low-weight prime products Partition the set of primes in subsets of cardinality of most three Result: Lowered the weight by ≈ a factor three 1028107 · 1030639 · 1097101 = 1162496086223388673 w(1028107) = 10, w(1030639) = 16, w(1097101) = 11, w(1162496086223388673) = 8

7 / 14

Elliptic Curve Constant Scalar Multiplication

We try the opposite approach (c(s) := #A in the addition chain) Generate integers s with “good” D/A ratio Test for B1-smoothness and factor these integers s =

• i

ˆ si

• J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastECPP.

Algorithmic Number Theory 2004 8 / 14

Elliptic Curve Constant Scalar Multiplication

We try the opposite approach (c(s) := #A in the addition chain) Generate integers s with “good” D/A ratio Test for B1-smoothness and factor these integers s =

• i

ˆ si

• J. Franke, T. Kleinjung, F. Morain, and T. Wirth. Proving the primality of very large numbers with fastECPP.

Algorithmic Number Theory 2004

Combine integers sj such that

• i

si =

• i
• j

ˆ si,j = k = lcm(1, . . . , B1) =

• ℓ

pℓ i.e. all the ˆ si,j match all the pℓ Such that

• i

c(si =

• j

ˆ si,j) < c′(

• i
• j

ˆ si,j) = c′(k)

8 / 14

Addition/subtraction chain

Addition/subtraction chain resulting in s ar = s, . . . , a1, a0 = 1 s.t. every ai = aj ± ak with 0 ≤ j, k < i

Avoid unnecessary computations

Only double the last element A3,0, D0, D0, D0 → (3, 2, 2, 2, 1) vs A1,0, D0 → (3, 2, 1) Only add or subtract to the last integer in the sequence (Brauer chains or star addition chains) This avoids computing the addition of two previous values without using this result

9 / 14

Addition chains with restrictions

Reduce the number of duplicates

Idea: Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication

Generation

Start with u0 = 1 (and end with an ±), ui+1 = 2ui ui ± uj for j < i and ui ≡ 0 ≡ uj mod 2

10 / 14

Addition chains with restrictions

Reduce the number of duplicates

Idea: Only add or subtract an even number from an odd number and after an addition (or subtraction) always perform a duplication

Generation

Start with u0 = 1 (and end with an ±), ui+1 = 2ui ui ± uj for j < i and ui ≡ 0 ≡ uj mod 2 Given A EC-additions and D EC-duplications this approach generates D − 1 A − 1

• · A! · 2A integers

10 / 14

Brauer chains vs Restricted chains (A = 3, D = 50)

140 · #Restricted chain ≈ #Brauer chain 1.09 · uniq(#Restricted chains) ≈ uniq(#Brauer chains)

No storage

Only add or subtract the input Less integers are generated: D − 1 A − 1

• · 2A

11 / 14

Brauer chains vs Restricted chains (A = 3, D = 50)

140 · #Restricted chain ≈ #Brauer chain 1.09 · uniq(#Restricted chains) ≈ uniq(#Brauer chains)

No storage

Only add or subtract the input Less integers are generated: D − 1 A − 1

• · 2A

Combining the smooth-integers

Greedy approach (use good D/A ratios first) Selection process is randomized Score according to the size of the prime divisors Left-overs are done using brute-force

11 / 14

2.9 · 109-smoothness testing

No-storage setting Low-storage setting A D #ST A D #ST 1 5 − 200 3.920 · 102 1 5 − 250 4.920 · 102 2 10 − 200 7.946 · 104 2 10 − 250 2.487 · 105 3 15 − 200 1.050 · 107 3 15 − 250 1.235 · 108 4 20 − 200 1.035 · 109 4 20 − 221 3.714 · 1010 5 25 − 200 8.114 · 1010 5 25 − 152 2.429 · 1012 6 30 − 124 2.858 · 1011 5 153 − 220 1.460 · 1011 7 35 − 55 2.529 · 1010 6 60 − 176 2.513 · 1011 Total 3.932 · 1011 2.864 · 1012 2.9 · 109-smoothness tests on our mini-cluster using 4.5 GB memory (5 × 8 Intel Xeon CPU E5430 2.66GHz) Results obtained in ≈ 6 months

12 / 14

2.9 · 109-smoothness testing

No-storage setting Low-storage setting A D #ST A D #ST 1 5 − 200 3.920 · 102 1 5 − 250 4.920 · 102 2 10 − 200 7.946 · 104 2 10 − 250 2.487 · 105 3 15 − 200 1.050 · 107 3 15 − 250 1.235 · 108 4 20 − 200 1.035 · 109 4 20 − 221 3.714 · 1010 5 25 − 200 8.114 · 1010 5 25 − 152 2.429 · 1012 6 30 − 124 2.858 · 1011 5 153 − 220 1.460 · 1011 7 35 − 55 2.529 · 1010 6 60 − 176 2.513 · 1011 Total 3.932 · 1011 2.864 · 1012 Smooth integers B1 No-storage Low-Storage Total 3 000 000 1.99 · 109 7.00 · 109 8.99 · 109 2 900 000 000 1.05 · 1010 3.47 · 1010 4.53 · 1010

12 / 14

Example B1 = 256, No-Storage

#D #A product addition chain 11 1 89 · 23 S0D11 14 2 197 · 83 S0D5S0D9 15 2 193 · 191 S0D12A0D3 15 2 199 · 19 · 13 A0D14A0D1 18 1 109 · 37 · 13 · 5 A0D18 19 2 157 · 53 · 7 · 3 · 3 S0D6S0D13 21 3 223 · 137 · 103 A0D10A0D10A0D1 23 3 179 · 149 · 61 · 5 S0D13A0D5S0D5 28 1 127 · 113 · 43 · 29 · 5 · 3 S0D28 30 3 181 · 173 · 167 · 11 · 7 · 3 A0D11A0D16A0D3 33 5 211 · 73 · 67 · 59 · 47 · 3 S0D6A0D2A0D11S0D3S0D11 36 4 241 · 131 · 101 · 79 · 31 · 11 A0D2A0D16A0D16A0D2 41 4 233 · 229 · 163 · 139 · 107 · 17 S0D9S0D4S0D11S0D17 49 5 251 · 239 · 227 · 151 · 97 · 71 · 41 S0D3S0D29A0D4A0D8A0D5 8 28 D8 361 38 Total

13 / 14

Results

Cost \ B1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26

14 / 14

Results

Cost \ B1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26

14 / 14

Results

Cost \ B1 256 512 1024 12,288 49,152 262,144 EECM-MPFQ #M 1,608 3,138 6,116 67,693 260,372 1,351,268 #S 1,436 2,952 5,892 70,780 283,272 1,512,100 #M+#S 3,044 6,090 12,008 138,473 543,644 2,863,368 A 69 120 215 1,864 6,392 29,039 D 359 738 1,473 17,695 70,818 378,025 #R 38 62 134 1,046 2,122 9,286 No Storage Setting #M 1,400 2,842 5,596 65,873 262,343 1,389,078 #S 1,444 2,964 5,912 70,768 283,168 1,511,428 #M+#S 2,844 5,806 11,508 136,641 545,511 2,900,506 A 38 75 141 1,564 6,113 31,280 D 361 741 1,478 17,692 70,792 377,857 #R 10 10 10 10 10 10 Low Storage Setting #M 1,383 2,783 5,481 64,634 255,852 1,354,052 #S 1,448 2,964 5,908 70,740 283,056 1,510,796 #M+#S 2,831 5,747 11,389 135,374 538,908 2,864,848 A 35 66 124 1,366 5,127 25,956 D 362 741 1,477 17,685 70,764 377,699 #R 22 22 22 26 26 26

14 / 14